We all know confidentiality as the simple concept of keeping sensitive information, secret. That is, limiting who has access to it to a small number of authorised individuals.
Doesn’t that sound like security?
We often get asked what the difference is. And in reality, security is all about keeping sensitive information assets secure by limiting who has access to them. So what’s the difference?
In the modern landscape, not much at all. You can’t have one without the other, so you could argue they’re the same thing. Where confidentiality has differentiated itself from security is in two main areas:
(1) Information classification and handling; recognising that not all information assets have the same level of sensitivity, a classification approach is used to define different levels of sensitivity. You then apply a risk-based approach to protecting those assets. General confidential data may be more readily available and less secured than top secret information. This approach should be supported by an Information Assets Register and sometimes a Data Register that tracks and monitors the types of data collected, where it’s stored, how it’s accessed, how it’s protected and other aspects of the ongoing security and approach to keeping that information confidential.
(2) Labelling and hard copy documents; your employees, customers and partners, may have access to information and not recognise that it needs to be kept confidential. That’s where labelling is used to raise that awareness and apply some legal accountability, to ensure it’s protected by those stakeholders. This awareness is especially relevant for hard copy documents and document repositories with varying types of information stored. They may get bundled up with other less sensitive documentation and then disposed of or left somewhere that doesn’t apply the nescessary protections to it so that information falls into the wrong hands. A labelling approach is applied to ensure it’s clear to any audience that it needs to be kept secure. In cases of highly sensitive data it may include unique codes or systematically enforced labelling for any printed documents. You’ve probably also seen email signatures that apply default confidentiality notices.
A lot of software as a service businesses we deal with, apply the highest level of security practices to all non-public data. That is, only people specifically authorised to access it and the fewest number of people possible, are allowed to access it. They put the control in the hands of their customers to manage access to their own assets to ensure it fits their own security and confidentiality expectations. And they don’t support printing to use hard copy documents.
In the modern landscape of big data and increasing security expectations, that “all-data-is-confidential-unless-otherwise-noted” approach keeps it simpler and by design addresses the various risks associated with confidentiality. In those instances, effective security effectively translates into effective confidentiality.
The SOC 2 Perpsective
Confidentiality is an additional category of the Trust Services Criteria; that is optional to include in your SOC 2 report(s). It builds on the control activities covered in the Common Criteria.
Confidentiality 1.1: The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
Confidentiality 1.2: The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
AssuranceLab's Best Practices Series
AssuranceLab's best practices series, is about highlighting the "real operational benefits" that come from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 1, SOC 2 and ISO 27001.